Apple iOS 7.1 Fixes More Than 20 Code-Execution Flaws

Apple has fixed a slew of vulnerabilities that could lead to code execution on the iPhone, along with a number of other security vulnerabilities in the latest version of its mobile operating system, iOS 7.1. The new release comes just a little more than two weeks after Apple released iOS 7.06 to fix the SSL certificate validation error.

Unlike that release, which fixed just the one vulnerability, significant though it was, iOS 7.1 is a major security release containing patches for a large number of vulnerabilities in a bunch of different components. Webkit, the framework underlying Safari, got a major security upgrade in iOS 7.1, with Apple fixing 19 separate memory corruption issues. Nearly half of those vulnerabilities were discovered by the Google Chrome security team, and many of the 19 bugs were identified last year.

Among the code-execution vulnerabilities patched in the new release are a pair of buffer overflows in ImageIO, a library that enables the reading and writing of multiple image formats. Apple also fixed a code-execution flaw in the kernel caused by an out of bounds memory access issue in the ARM ptmx_get_ioctl function. There also is a fix for a vulnerability in the way that Office Viewer handled certain Microsoft Word documents.

Along with the more serious code-execution bugs, Apple also pushed out a fix for a vulnerability in the iTunes Store that could allow an attacker to trick a user into downloading a malicious app from the store.

“An attacker with a privileged network position could spoof network communications to entice a user into downloading a malicious app. This issue was mitigated by using SSL and prompting the user during URL redirects,” Apple said in its advisory.

There were patches for several other less-serious vulnerabilities, as well. The full list of fixes is included in the Apple advisory.

About Dennis Fisher

Dennis Fisher is a journalist with more than 13 years of experience covering information security.

The EFF’s Decentralized SSL Observatory turned up 1,600 certificates that should have been rejected but instead passed browser checks because they were manipulated by Komodia’s SSL Digester interception module.

A modern smartphone is a full-blown working tool, an entertainment center and a tool to manage your personal finances. The more it can do, the more attractive it is to cybercriminals. The evidence for...

Cybercriminals go at great lengths to throw researchers off their scent, but just like in the "offline" crime world they make errors and leave peculiar traces behind, making them look a bit silly, whi...

By Maria Karnaukh Genius is often simple. Those ideas that ultimately reap millions of dollars are usually found hiding in plain view – unnoticed until their time is right. Here are several examples o...